- Community Home
- >
- Networking
- >
- Legacy
- >
- Switches, Hubs, Modems
- >
- Re: Remote Mirroring Loosing Traffic?
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-03-2010 03:26 AM
тАО08-03-2010 03:26 AM
Remote Mirroring Loosing Traffic?
I am setting up remote mirroring to dupliacte traffic from our routers to a single point which can be connected to an IDS system. I am monitoring port statistics with Cacti and noticed that things don't quite add up.
The destination switch for the remote mirroring is only being used for this purpose, and the inbound traffic to this switch is 353MB/s. I using 2 interfaces as the destination ports, and they are currently at 50MB/s & 43MB/s. 50 + 43 != 353 (or anywhere close).
A source interface is currently showing 52MB/s in, 27MB/s out, collectively this is 79MB/s and is more than either of the 2 destination ports.
Does anyone have any idea what might be happening? I can't see any indication of dropped packets in the log or interface statistics.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-03-2010 04:25 AM
тАО08-03-2010 04:25 AM
Re: Remote Mirroring Loosing Traffic?
What switch and what firmware are you running?
Tore
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-03-2010 04:27 AM
тАО08-03-2010 04:27 AM
Re: Remote Mirroring Loosing Traffic?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-03-2010 06:57 AM
тАО08-03-2010 06:57 AM
Re: Remote Mirroring Loosing Traffic?
I've now disabled all of the remote mirroring except for 1. The soure switch is showing 25MB/34MB (in/out) and the destination switch is showing 63MB in. This is close enough and it looks like the remote mirroring is working correctly to get as far as the destination switch.
The destination port is currently showing 17MB out, which is only ~25% of the expected data.
Cheers,
-Jeff
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-03-2010 07:03 AM
тАО08-03-2010 07:03 AM
Re: Remote Mirroring Loosing Traffic?
If I'm seeing strange values generated I usually check that mine are set correctly to "In/Out Bits 64 bit counters" and the "maximum value" for the data source field is also large enough.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-03-2010 07:26 AM
тАО08-03-2010 07:26 AM
Re: Remote Mirroring Loosing Traffic?
I have connected the destination port to my laptop and running ethstats I am seeing ~10MB/s-15MB/s
The statistics from the switch port for Rates (5 min weighted average) shows:
Utilization Tx : 01.48 %
This is a 1GB port so 1.48% is around 15MB/s.
Everything seems to be pointing to packets being lost within the switch?!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-03-2010 11:28 AM
тАО08-03-2010 11:28 AM
Re: Remote Mirroring Loosing Traffic?
You might want to Upgrade to K.14.60
http://h10144.www1.hp.com/customercare/library/switches/8212zl/index.aspx?pageTab=5
Fixed in K.14.49:
sFlow (PR_0000015656) ├в Outbound sampling using sFlow is not functioning.
Hope it helps
Tore
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-03-2010 11:39 AM
тАО08-03-2010 11:39 AM
Re: Remote Mirroring Loosing Traffic?
I was thinking of the wrong thing :(
Tore
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-03-2010 12:02 PM
тАО08-03-2010 12:02 PM
Re: Remote Mirroring Loosing Traffic?
When you mention "The destination port is currently showing 17MB out, which is only ~25% of the expected data." is this from within the IDS or on the switch'es interface counters ?
Just a quick check. How did you configure the source side of the mirroring ?
How did you set up the destination ? What is the destination port's vlan membership compared to the source port on the source switch ?
The vlan / routed path the traffic follows should all be jumbo capable are you seeing any indication on any inter switch links of giants ( show interfaces all ).
If your IDS system 802.1Q tag aware ?
Sorry for all the questions.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-03-2010 12:41 PM
тАО08-03-2010 12:41 PM
Re: Remote Mirroring Loosing Traffic?
I also did a test with 'ethstats' from a laptop connected to the mirrored port, this showed a similar figure.
The commands I've been using are:
[source]
mirror 2 remote ip 192.168.4.183 11832 192.168.4.187
interface Trk4
monitor all both mirror 2
exit
[destination]
mirror endpoint ip 192.168.4.183 11832 192.168.4.187 port A3
The source has several VLANs tagged (no untagged), and the destination is just the default untagged VLAN 1.
The VLAN I'm using to move the data around (with subnet 192.168.4.0/24) is dedicated just for port mirroring, and yes jumbo frames are enabled.
I'm presuming the IDS will be VLAN aware, the evaluation the company is sending is due to arrive next week - I'm trying to get this ready before hand. I have seen reference to being able to remove VLAN tagging and might investigate this however to begin with I just want to get all the traffic to the destination port.
Cheers,
-Jeff